[
https://issues.apache.org/jira/browse/XALANJ-2793?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joshua Marquart updated XALANJ-2793:
------------------------------------
Affects Version/s: 2.7.1
Xalan info: PatchAvailable
> Xalan JAXP impl. missing fix for CVE-2019-2973
> ----------------------------------------------
>
> Key: XALANJ-2793
> URL: https://issues.apache.org/jira/browse/XALANJ-2793
> Project: XalanJ2
> Issue Type: Bug
> Security Level: No security risk; visible to anyone(Ordinary problems in
> Xalan projects. Anybody can view the issue.)
> Components: JAXP
> Affects Versions: 2.7.1, 2.7.2, 2.7.3
> Reporter: Joshua Marquart
> Priority: Minor
> Attachments: xalanj-2793-20241213b.patch
>
>
> org.apache.xpath.compiler.XPathParser has the potential to throw a
> StackoverflowError, under certain conditions.
> Per the CVE summary, this has already been resolved by certain JRE releases
> of JAXP, however cursory review of the existing releases of the classes from
> Xalan show the compensating code was not applied to Xalan's embedded JAXP
> classes and therefore have the potential to throw a StackOverflowError.
> CVE Details: [https://nvd.nist.gov/vuln/detail/cve-2019-2973]
> OpenJDK resolved this CVE here:
> [https://hg.openjdk.org/jdk8u/jdk8u/jaxp/rev/9094c855c4b4]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
